Are We Winning?
After reviewing the RSA session recap and the full State of Software Security 2025 report, I have reflected — not with cynicism, but with quiet scepticism.
The headlines suggest progress: the OWASP Top 10 pass rate has increased from 32% to 52% over five years, representing a 63% relative improvement. Veracode and others rightly note that this marks more movement than we have seen in the prior decade. But it is worth asking—what does that progress actually mean in context?
The report shows that 56% of applications still contain high-severity flaws, and nearly 48% fail OWASP Top 10 checks. Improvements are welcome, but half of the software estate does not yet meet even the most basic thresholds. Moreover, those thresholds themselves are narrow in scope. Attackers are not limited to the Top 10 flaws. They adapt, escalate, and target Tier 2 and 3 vulnerabilities, systemic misconfigurations, and the increasingly fragile software supply chain.
More concerning still, the average time to remediate flaws has increased from 171 days in 2020 to 252 days in 2025. That is a 47% increase. The median half-life for high-severity flaws is 111 days, and for third-party flaws it extends to twelve months. During that time, development continues at pace. We are identifying more flaws, but resolving fewer of them with urgency.
In this context, the conversation around AI warrants greater nuance. The report notes that AI-generated code may be “slightly worse” than human code, and raises concerns about velocity leading to increased vulnerability volume. That framing feels incomplete. AI is not merely a productivity tool; it is a catalyst for fundamental change. The critical issue may not be the quality of the code AI writes today, but the speed and scale at which AI is transforming how software is created and operated. Security models designed for static environments could struggle in an AI-native future.
The call for increased accountability, through attestation and software provenance, is understandable. There is a legitimate desire for more transparency and assurance. But without runtime validation, contextual telemetry, and continuous monitoring, attestation risks becoming another static compliance artefact in a dynamic, interconnected world.
To be clear, the report itself is thoughtful and well-constructed. But the broader narrative—that we are at a turning point—may be premature. The data suggests that our measurements are becoming more sophisticated but not necessarily more effective in achieving our outcomes.
We have indeed built better tools, improved our visibility, and made vulnerability discovery far more accessible. But if success is defined as finding more flaws, fixing them more slowly, and carrying increasing levels of unresolved risk, then perhaps we are still measuring the wrong things.
hashtag#AppSec hashtag#RuntimeSecurity hashtag#SecureByDesign hashtag#DevSecOps hashtag#SoftwareSupplyChain hashtag#SecurityLeadership hashtag#Veracode hashtag#RSAC2025